Tags

February 20, 2014

While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators. A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.) Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;

Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;

Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;

Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and

Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

(Not the) Same as the Old Boss

While the message from the federal regulators has not varied over the years, recent actions by the various agencies indicate they are more likely to use enforcement as a means of guaranteeing compliance with their vendor management mandates. A detailed discussion of the cases listed below is beyond the scope of this article, but to a large degree each case focused on deceptive sales practices by third-party vendors while marketing a bank product:

CFPB – American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Although neither the FDIC, OCC nor the CFPB provides community banks with an explicit exemption from the vendor management mandates, each set of rules does include a statement similar in content to that expressed in FIL-44-2008: “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.” For community banks that offer only traditional banking services, senior management and the board should use a common sense level of due diligence before, during and after a third-party relationship is commenced.

We Won’t Be Fooled Again

Bank management and boards of directors should not allow recent enforcement actions to deter their use of third-party vendors to provide critical functions. The economics supporting such outsourcing decisions certainly outweigh the risks posed by potential regulatory enforcement action. However, regulators have given notice that a failure to implement and follow vendor management protocols will no longer be tolerated, and boards and management bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.

Connect

Subscribe

Related Sites

Subscribe to Email Updates

Please leave this field empty

Name

Email *

Select list(s): Immediately Daily Weekly

Check your inbox or spam folder to confirm your subscription.

Contact Us

If you have any questions regarding anything discussed on this blog, the attorneys and other professionals of the Financial Institutions Group of Bryan Cave LLP are available to answer your questions. Please click here for a list of our Professionals or fill out the contact request form below.

Thank you for reaching out to us.

First, though, we have to tell you a couple of things:

Your email will not create an attorney-client relationship between you and us.Attorney-client relationships can only be created in writing, signed by both you and us.

The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.